Extracted

Extracted

• • Target

    EXMservice.exe

  • Size

    12.0MB

  • MD5

    aab9c36b98e2aeff996b3b38db070527

  • SHA1

    4c2910e1e9b643f16269a2e59e3ada80fa70e5fa

  • SHA256

    c148cc14f15b71a2d3f5e6bce6b706744f6b373a7e6c090c14f46f81d2d6e82f

  • SHA512

    0db75756a041a7cda6b384718581aaf11e6873614465dd56e81f17ad171cffe380e288a3c2ee540222190392904921f26df8a1d66d4108051c60fc8e5b2df779

  • SSDEEP

    6144:tgIFnaVf5qSsmMLN6+kjn7nPZDt7FY7n16EUkKUBnf6R3Xnd:4fA5y7PhNi71PfKUV6R3X

  Score

  10^/10

  asyncratstormkittyxwormdefaultdiscoverypersistenceprivilege_escalationratspywarestealertrojan

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat

  • Asyncrat family

    asyncrat

  • Detect Xworm Payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Stormkitty family

    stormkitty

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Async RAT payload

    rat

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  behavioral1behavioral2